SlideShare une entreprise Scribd logo
1  sur  28
Télécharger pour lire hors ligne
APPLIED VOIP SECURITY &
RELIABILITY ON COMMODITY
SERVICES, HARDWARE &
SOFTWARE
     …a primer on what works in the real
     world
Informal Poll
   Legacy PBX replacement / upgrade path?

   VoIP in your enterprise?

   Asterisk in your enterprise?

   Just starting out with VoIP?
Presentation Overview
   Review common         Solutions overview:
    business                Availability,
    communications           reliability, security
    struggles
                            Software

   Asterisk lessons
    learned                 Hardware


                            ITSPs   we rely on
   “Mid-dive”
                            Measurement
                             methods
Speaker Introduction

tapestry tech              Dennis Little (KeyCruncher)
&
Dennis Little                Passion:  “Technology Translator” &
                              Communications
                             Head Business Communications
                              division
IRC:                         Asterisk believer since 2005
keycruncher

KeyCruncher.com
                           tapestry technologies, LLC (tt)
dennis@tapestrytech.c
                             MyBusinessTelephone.com
om
                             SME:   Defense IT Policy, Training
                           Shout-out: Anteil, Inc.
Why believe in Asterisk?

tapestry tech              Engineering support for a
&
Dennis Little               large, proprietary (Avaya)
                            installation
                             $400M   organization, $40k benevolent
                              care / day
IRC:                         Supporting 2,200+ staff and 3,000+
keycruncher
                              seniors in PA, MD & DE
KeyCruncher.com
                             Serving 70,000+ families & children
dennis@tapestrytech.c
om                            per year
                           A lot of FOSS software
                            underneath…
Full Disclosure

tapestry tech              tapestry Affiliations
&
Dennis Little                Digium® Affiliate Asterisk® Integrator
                             Polycom® Authorized Partner (VoIP)

                             Xorcom® Certified Dealer

                             (but we used them before we dealt
IRC:
keycruncher
                              them)
KeyCruncher.com

dennis@tapestrytech.c
                           My experience + struggles +
om
                            solutions
                            != the best way
Why Voice over IP? Why
Asterisk?
   Quality

   Flexibility & Scalability
     Connectivity,providers, contact center location
     Contract commitments (or lack thereof)

     Easy path forward for legacy systems

   Standards-based vs. proprietary

   Return on Investment & cost savings
Case Study Overview
   Lodging business
   Startup in 2009 with 4
    staff in 2 states
   ? carriers, ? volume
   Robust, secure,
    flexible
   Future = ??
   Today: ~27 staff in 7
    locations
   Remote colo w/
    failover
Communications Problem
Overview
Problem:                Solution:
 SIP + NAT traversal    Good protocol
                          understanding &
                          network design
   Quality phone        QoS on expensive

    conversations         data/voice lines

   Security               Least-privilege &
                            encryption /
                            encapsulation, firewall
                            s, fail2ban, etc
Solution(s) Philosophy
   FOSS where is makes business sense

   FOSS where it is ready for prime time

   Encryption.

   Least-privilege.

   Always have a failover and backup(s)
Requirements: Providers
   Quality colo facilities

   History of reliability & availability

   ITSPs (always have a failover plan)
     Vitelity   – flexibility, very good support, reliable

     Bandwidth.com       – reputable, unlimited usage
Requirements: Security
   Only allow necessary traffic
     VoIP provider should be able to tell you all of their
      subnets
     You should know all of yours


   VPN tunnel everything – it was worth the
    overhead here

   Follow VoIP security best practices & stay
    involved
     Community events & networking w/ like-minded folks
     Excellent documentation
     IRC / Mailing lists / RSS feeds
     VUC.me (VoIP Users Conference call: Friday, noon
Hardware
   Servers: Dell R310
   Telephones:
     Polycom   SoundPoint IP
      335, 650, 670, 7000       Foxconn R10-D2
                                (image courtesy: NewEgg.com)


     Bria, X-Lite, Zoiper

   VPN routers: Foxconn
    R10-D2 / Atom D510
   SuperMicro 5015A
   (this solution is 100%
    VoIP)
Software
   Asterisk

   iptables + Fail2ban (+ least-privileged access)

   OpenVPN - E2E encryption, easy access
    control

   Vyatta community edition

   KVM VMs + DRBD – HA failover b/t call
    servers
OpenVPN
   Easy access control for networks & road
    warriors
   Two-factor authentication (certificate +
    password)
   Routed & bridged modes
   Built-in support for OpenVPN in Vyatta
   Windows: OpenVPN GUI (non-admin in Win7?
    Use subinacl utility)
   Mac OS X: Viscosity
   OpenVPN Access Server
Vyatta Network OS (~SBC)
   Powerful, familiar CLI (ie: Linux, tab
    completion, contextual hints & help)
   unionfs + RAMdisk to reduce writes on USB
    storage
   QoS control – set aside for VoIP / data
   WAN failover – combine cheap circuits
   High Availability (free) & HA sync ($)
   Virtualized editions available
   $0 or low cost (web filtering requires
    subscription)
interfaces {                     service {
  ethernet eth0 {                   dhcp-server {
      duplex: "auto"                  shared-network-name
                                 "eth1_pool" {
      speed: "auto"
                                        subnet 192.168.1.0/24 {
      address 123.123.123.2 {              start 192.168.1.65 {
          prefix-length: 30                   stop: 192.168.1.199
          disable: false                   }
      }                                    dns-server
      firewall {                 209.218.76.2
          in {                             dns-server
                                 208.67.220.220
             name: "from-                  default-router:
external"                        192.168.1.1
          }                                lease: 86400
          local {                          authoritative: "disable"
             name: "to-router"          }
          }                           }
      }
   }
Topology Overview
KVM




      Courtesy IBM:
      http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/kvm_over.jp
DRBD




       Courtesy: http://www.drbd.org/uploads/pics/overview_02.gif
Requirements: Commodity
Internet
   Consistently:

     Low   latency to the ITSP

     0%   packet loss

     Adequate   bandwidth for X calls

   In general: DSL or fiber for voice, (shared)
    cable for all other
Requirements: Commodity
Internet
   Quality measurement tools?
     MyVoIPSpeed.visualWare.com
Requirements: Circuit Capacity
   How do we carve up the circuit?
     REMEMBER:     We are dealing with commodity
     internet (no SLA) ie: best-effort circuit delivery

     Average   of 5 tests over time

     80-85%    of performance from averages is what we
     assume

     Determine   set-asides accordingly (calculators)
Case Outcomes
   Standardized               Failover between
    carriers                    servers, sites and at
   Volume and trends           the ITSP level works
    insight – business          really well
    intel.                     Ability to go mobile
   Leverage with               when needed
    carriers to reduce          because of disasters
    rates
   Cut call center hours
    by 3 hours each day
A few things to remember…
   Security (least-privilege, fail2ban, VoIP best
    practices, etc.)
   Test, test, test
   Failover != backup
   RAID != backup
   mirror != backup
   Educate and listen
   Lean on the work already done
    AsteriskDocs.org, Asterisk.org, voip-
    info.org, …
Before we wrap up…
any questions?
Short Review
   Solution:               More questions?
    Providers, HW, SW,        Dennis Little
    security                  tapestry technologies

                              IRC: KeyCruncher
   Thank you, Digium
                              web:
    & tapestry                KeyCruncher.com
    technologies              dennis@tapestrytech.c
                              om
   Thank YOU for             (877) 372-6782
    coming
                              MyBusinessTelephone.
                              com
Resources
   FoxconnChannel.co      Vitelity.com
    m                      Bandwidth.com
   Polycom.com
   SuperMicro.com
                            Dennis Little
   Digium.com              tapestry technologies
   PBXinaFlash.net
                            IRC: KeyCruncher
   OpenVPN.net / .se       web: KeyCruncher.com
   Vyatta.org              dennis@tapestrytech.co
                            m
   Linux-KVM.org           (877) 372-6782
   DRBD.org

Contenu connexe

Tendances

The headsetteamnews july_2011
The headsetteamnews july_2011The headsetteamnews july_2011
The headsetteamnews july_2011The Headset Team
 
Wired Ed
Wired EdWired Ed
Wired Edpipbull
 
Watch out - The Norwegian Version
Watch out - The Norwegian VersionWatch out - The Norwegian Version
Watch out - The Norwegian VersionOlle E Johansson
 
Ds pre terminated-cable_catalogue
Ds pre terminated-cable_catalogueDs pre terminated-cable_catalogue
Ds pre terminated-cable_catalogueMCL Data Solution
 
DataVox Corporate Profile
DataVox Corporate ProfileDataVox Corporate Profile
DataVox Corporate ProfileMollie Dobersek
 
Practical And Possible 100 G Webinar
Practical And Possible 100 G WebinarPractical And Possible 100 G Webinar
Practical And Possible 100 G Webinarcj01950
 
VOIP Presentation
VOIP Presentation VOIP Presentation
VOIP Presentation tofael1
 
Video Conferencing and Security
Video Conferencing and SecurityVideo Conferencing and Security
Video Conferencing and SecurityVideoguy
 
Node4 Managed Hosting
Node4 Managed HostingNode4 Managed Hosting
Node4 Managed Hostingwebhostingguy
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingVideoguy
 
Personal Data Security
Personal Data SecurityPersonal Data Security
Personal Data SecurityNPowerCR
 
InTechnology Managed Network Services
InTechnology Managed Network ServicesInTechnology Managed Network Services
InTechnology Managed Network Servicesashleyjenkinson
 

Tendances (15)

The headsetteamnews july_2011
The headsetteamnews july_2011The headsetteamnews july_2011
The headsetteamnews july_2011
 
Wired Ed
Wired EdWired Ed
Wired Ed
 
Watch out - The Norwegian Version
Watch out - The Norwegian VersionWatch out - The Norwegian Version
Watch out - The Norwegian Version
 
Itc corporate presentation en
Itc corporate presentation enItc corporate presentation en
Itc corporate presentation en
 
Ds pre terminated-cable_catalogue
Ds pre terminated-cable_catalogueDs pre terminated-cable_catalogue
Ds pre terminated-cable_catalogue
 
DataVox Corporate Profile
DataVox Corporate ProfileDataVox Corporate Profile
DataVox Corporate Profile
 
Practical And Possible 100 G Webinar
Practical And Possible 100 G WebinarPractical And Possible 100 G Webinar
Practical And Possible 100 G Webinar
 
VOIP Presentation
VOIP Presentation VOIP Presentation
VOIP Presentation
 
Video Conferencing and Security
Video Conferencing and SecurityVideo Conferencing and Security
Video Conferencing and Security
 
Node4 Managed Hosting
Node4 Managed HostingNode4 Managed Hosting
Node4 Managed Hosting
 
Cio resume
Cio resumeCio resume
Cio resume
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for Videoconferencing
 
Personal Data Security
Personal Data SecurityPersonal Data Security
Personal Data Security
 
Nuestar UltraDDI
Nuestar UltraDDINuestar UltraDDI
Nuestar UltraDDI
 
InTechnology Managed Network Services
InTechnology Managed Network ServicesInTechnology Managed Network Services
InTechnology Managed Network Services
 

Similaire à Applied VoIP Security

Gathering of State Networks
Gathering of State NetworksGathering of State Networks
Gathering of State NetworksVideoguy
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsSleek International
 
12 Understanding V P Ns
12  Understanding  V P Ns12  Understanding  V P Ns
12 Understanding V P NsAamirAziz
 
DataVox Company Profile
DataVox Company ProfileDataVox Company Profile
DataVox Company Profilenferguson2008
 
Solving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open StandardsSolving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open StandardsChristina Inge
 
Asterisk - Glen Bastes
Asterisk - Glen BastesAsterisk - Glen Bastes
Asterisk - Glen Bastessoss
 
Manojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration TelepresenceManojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration Telepresencemanojkumar r
 
Manojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration TelepresenceManojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration Telepresencemanojkumar r
 
Jeremy-Nothum-resume-9-5-16
Jeremy-Nothum-resume-9-5-16Jeremy-Nothum-resume-9-5-16
Jeremy-Nothum-resume-9-5-16Jeremy Nothum
 

Similaire à Applied VoIP Security (20)

Building a Digital Telco
Building a Digital TelcoBuilding a Digital Telco
Building a Digital Telco
 
Gathering of State Networks
Gathering of State NetworksGathering of State Networks
Gathering of State Networks
 
Teknoforce
TeknoforceTeknoforce
Teknoforce
 
Jess Kitchen
Jess KitchenJess Kitchen
Jess Kitchen
 
Acit Mumbai - understanding vpns
Acit Mumbai - understanding vpnsAcit Mumbai - understanding vpns
Acit Mumbai - understanding vpns
 
12 Understanding V P Ns
12  Understanding  V P Ns12  Understanding  V P Ns
12 Understanding V P Ns
 
Maior Technical Profile
Maior Technical ProfileMaior Technical Profile
Maior Technical Profile
 
updated cv
updated cvupdated cv
updated cv
 
DataVox Company Profile
DataVox Company ProfileDataVox Company Profile
DataVox Company Profile
 
Solving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open StandardsSolving the BYOD Problem with Open Standards
Solving the BYOD Problem with Open Standards
 
Testing
TestingTesting
Testing
 
Asterisk - Glen Bastes
Asterisk - Glen BastesAsterisk - Glen Bastes
Asterisk - Glen Bastes
 
DataVox Profile
DataVox ProfileDataVox Profile
DataVox Profile
 
Manojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration TelepresenceManojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration Telepresence
 
Manojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration TelepresenceManojkumar R CCNA Collaboration Telepresence
Manojkumar R CCNA Collaboration Telepresence
 
MWC 2010 DPI
MWC 2010 DPIMWC 2010 DPI
MWC 2010 DPI
 
Manjesh cv
Manjesh cvManjesh cv
Manjesh cv
 
Jeremy-Nothum-resume-9-5-16
Jeremy-Nothum-resume-9-5-16Jeremy-Nothum-resume-9-5-16
Jeremy-Nothum-resume-9-5-16
 
Netpluz corp presentation 2020
Netpluz corp presentation 2020Netpluz corp presentation 2020
Netpluz corp presentation 2020
 
NSC presentation
NSC presentationNSC presentation
NSC presentation
 

Applied VoIP Security

  • 1. APPLIED VOIP SECURITY & RELIABILITY ON COMMODITY SERVICES, HARDWARE & SOFTWARE …a primer on what works in the real world
  • 2. Informal Poll  Legacy PBX replacement / upgrade path?  VoIP in your enterprise?  Asterisk in your enterprise?  Just starting out with VoIP?
  • 3. Presentation Overview  Review common  Solutions overview: business  Availability, communications reliability, security struggles  Software  Asterisk lessons learned  Hardware  ITSPs we rely on  “Mid-dive”  Measurement methods
  • 4. Speaker Introduction tapestry tech  Dennis Little (KeyCruncher) & Dennis Little  Passion: “Technology Translator” & Communications  Head Business Communications division IRC:  Asterisk believer since 2005 keycruncher KeyCruncher.com  tapestry technologies, LLC (tt) dennis@tapestrytech.c  MyBusinessTelephone.com om  SME: Defense IT Policy, Training  Shout-out: Anteil, Inc.
  • 5. Why believe in Asterisk? tapestry tech  Engineering support for a & Dennis Little large, proprietary (Avaya) installation  $400M organization, $40k benevolent care / day IRC:  Supporting 2,200+ staff and 3,000+ keycruncher seniors in PA, MD & DE KeyCruncher.com  Serving 70,000+ families & children dennis@tapestrytech.c om per year  A lot of FOSS software underneath…
  • 6. Full Disclosure tapestry tech  tapestry Affiliations & Dennis Little  Digium® Affiliate Asterisk® Integrator  Polycom® Authorized Partner (VoIP)  Xorcom® Certified Dealer  (but we used them before we dealt IRC: keycruncher them) KeyCruncher.com dennis@tapestrytech.c  My experience + struggles + om solutions != the best way
  • 7. Why Voice over IP? Why Asterisk?  Quality  Flexibility & Scalability  Connectivity,providers, contact center location  Contract commitments (or lack thereof)  Easy path forward for legacy systems  Standards-based vs. proprietary  Return on Investment & cost savings
  • 8. Case Study Overview  Lodging business  Startup in 2009 with 4 staff in 2 states  ? carriers, ? volume  Robust, secure, flexible  Future = ??  Today: ~27 staff in 7 locations  Remote colo w/ failover
  • 9. Communications Problem Overview Problem: Solution:  SIP + NAT traversal  Good protocol understanding & network design  Quality phone  QoS on expensive conversations data/voice lines  Security  Least-privilege & encryption / encapsulation, firewall s, fail2ban, etc
  • 10. Solution(s) Philosophy  FOSS where is makes business sense  FOSS where it is ready for prime time  Encryption.  Least-privilege.  Always have a failover and backup(s)
  • 11. Requirements: Providers  Quality colo facilities  History of reliability & availability  ITSPs (always have a failover plan)  Vitelity – flexibility, very good support, reliable  Bandwidth.com – reputable, unlimited usage
  • 12. Requirements: Security  Only allow necessary traffic  VoIP provider should be able to tell you all of their subnets  You should know all of yours  VPN tunnel everything – it was worth the overhead here  Follow VoIP security best practices & stay involved  Community events & networking w/ like-minded folks  Excellent documentation  IRC / Mailing lists / RSS feeds  VUC.me (VoIP Users Conference call: Friday, noon
  • 13. Hardware  Servers: Dell R310  Telephones:  Polycom SoundPoint IP 335, 650, 670, 7000 Foxconn R10-D2 (image courtesy: NewEgg.com)  Bria, X-Lite, Zoiper  VPN routers: Foxconn R10-D2 / Atom D510  SuperMicro 5015A  (this solution is 100% VoIP)
  • 14. Software  Asterisk  iptables + Fail2ban (+ least-privileged access)  OpenVPN - E2E encryption, easy access control  Vyatta community edition  KVM VMs + DRBD – HA failover b/t call servers
  • 15. OpenVPN  Easy access control for networks & road warriors  Two-factor authentication (certificate + password)  Routed & bridged modes  Built-in support for OpenVPN in Vyatta  Windows: OpenVPN GUI (non-admin in Win7? Use subinacl utility)  Mac OS X: Viscosity  OpenVPN Access Server
  • 16. Vyatta Network OS (~SBC)  Powerful, familiar CLI (ie: Linux, tab completion, contextual hints & help)  unionfs + RAMdisk to reduce writes on USB storage  QoS control – set aside for VoIP / data  WAN failover – combine cheap circuits  High Availability (free) & HA sync ($)  Virtualized editions available  $0 or low cost (web filtering requires subscription)
  • 17. interfaces { service { ethernet eth0 { dhcp-server { duplex: "auto" shared-network-name "eth1_pool" { speed: "auto" subnet 192.168.1.0/24 { address 123.123.123.2 { start 192.168.1.65 { prefix-length: 30 stop: 192.168.1.199 disable: false } } dns-server firewall { 209.218.76.2 in { dns-server 208.67.220.220 name: "from- default-router: external" 192.168.1.1 } lease: 86400 local { authoritative: "disable" name: "to-router" } } } } }
  • 19. KVM Courtesy IBM: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/kvm_over.jp
  • 20. DRBD Courtesy: http://www.drbd.org/uploads/pics/overview_02.gif
  • 21. Requirements: Commodity Internet  Consistently:  Low latency to the ITSP  0% packet loss  Adequate bandwidth for X calls  In general: DSL or fiber for voice, (shared) cable for all other
  • 22. Requirements: Commodity Internet  Quality measurement tools?  MyVoIPSpeed.visualWare.com
  • 23. Requirements: Circuit Capacity  How do we carve up the circuit?  REMEMBER: We are dealing with commodity internet (no SLA) ie: best-effort circuit delivery  Average of 5 tests over time  80-85% of performance from averages is what we assume  Determine set-asides accordingly (calculators)
  • 24. Case Outcomes  Standardized  Failover between carriers servers, sites and at  Volume and trends the ITSP level works insight – business really well intel.  Ability to go mobile  Leverage with when needed carriers to reduce because of disasters rates  Cut call center hours by 3 hours each day
  • 25. A few things to remember…  Security (least-privilege, fail2ban, VoIP best practices, etc.)  Test, test, test  Failover != backup  RAID != backup  mirror != backup  Educate and listen  Lean on the work already done AsteriskDocs.org, Asterisk.org, voip- info.org, …
  • 26. Before we wrap up… any questions?
  • 27. Short Review  Solution:  More questions? Providers, HW, SW,  Dennis Little security tapestry technologies IRC: KeyCruncher  Thank you, Digium web: & tapestry KeyCruncher.com technologies dennis@tapestrytech.c om  Thank YOU for (877) 372-6782 coming MyBusinessTelephone. com
  • 28. Resources  FoxconnChannel.co  Vitelity.com m  Bandwidth.com  Polycom.com  SuperMicro.com Dennis Little  Digium.com tapestry technologies  PBXinaFlash.net IRC: KeyCruncher  OpenVPN.net / .se web: KeyCruncher.com  Vyatta.org dennis@tapestrytech.co m  Linux-KVM.org (877) 372-6782  DRBD.org

Notes de l'éditeur

  1. My goal: present lessons learned and solution highlights, give you enough to get started and ask me or the community questions, support worthy projects and providers
  2. My goal: present lessons learned and solution highlights, give you enough to get started and ask me or the community questions, support worthy projects and providers
  3. Love technology and people: teaching efficiency & communicationsExperience: SMB & Fortune 500 – generally on the SMB side, Rite Aid acquisition of Eckerd Drug (~1850 stores)Fascination telephones: age 5, kitchen phone pinched wire
  4. Started out on Nortel, hands-on supportAvaya: RHEL, MySQL, SIP + proprietaryVery expensive, land-locked solutions: ~$32k for a 40-person officeStarting looking for a small office solution: discovered trixbox & AastraAsterisk can do almost always do everything the big boys can do
  5. Everything that I will talk about in this case study is represented by one of these three companies
  6. Lodging solutionsRapid growth predictedGeographically dispersed and needed to be able to connect easilyReservations, file sharing already in place in central coloNeeded something flexible & affordable to grow and scale with the business: Asterisk was the answer
  7. Lodging solutionsRapid growth predictedGeographically dispersed and needed to be able to connect easilyReservations, file sharing already in place in central coloNeeded something flexible & affordable to grow and scale with the business: Asterisk was the answer
  8. Failover strategy depends heavily on the client’s tolerance for downtime and the tolerance, in turn, of their clients for the same
  9. Foxconn - around $160/each
  10. Not going to cover PIAF and iptables/Fail2banOpenVPN – easy to phone home = easy provisioning
  11. Viscosity does seem to have a quirk with network routing delay – anyone found anything better?